Date: Fri, 13 Oct 2017 07:53:27 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Install-time "hardening" options Message-ID: <f53d3a86-4904-dd3f-2829-ac82fb4d9377@FreeBSD.org> In-Reply-To: <5273.1507843937@segfault.tristatelogic.com> References: <5273.1507843937@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL Content-Type: multipart/mixed; boundary="kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <f53d3a86-4904-dd3f-2829-ac82fb4d9377@FreeBSD.org> Subject: Re: Install-time "hardening" options References: <5273.1507843937@segfault.tristatelogic.com> In-Reply-To: <5273.1507843937@segfault.tristatelogic.com> --kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 12/10/2017 22:32, Ronald F. Guilmette wrote: >=20 > In message <21945e9b-6573-5f8d-9b6d-26bbb8bfd748@sentex.net>,=20 > Mike Tancsa <mike@sentex.net> wrote: >=20 >>> (*) Disable opening Syslogd network socket (disables remote logging)= >> >> Is not the default -s and this options makes it -ss. "disable remote >> logging" as in the host you are configuring cannot send out messages t= o >> other syslogd servers. >=20 > Was that a question or a statement? >=20 > If you are assering that indeed, yes, star'ing this specific "hardening= " > option just causes the local machine to -not- send -outbound- syslog > messages, then certainly, that is indeed a horse of a different color > from what I was talking about, which was -accepting- -inbound- syslog > messages/packets. >=20 > At the very least, the wording on this option should be clarified to > make it apparent if the thing being disabled in this case is inbound > syslog messages or outbound ones. syslogd -ss disables any sort of syslog transmission over the network, in either direction. All you can do is write to local files or (the little used facility to) pipe syslog into an application. Cheers, Matthew --kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61-- --vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZ4GLvXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATDWYQAKOkzL1fOoou1ER+BMWOVB5G /rr6aUci42ejg7+CGn8+LlVlNz+6T5LfJuR9otB/ZYvTvfVSNL40YqTLfjBV8GL3 Gb3o/oFLmZX0ziRnl4pYjTTSpvhHSjHJBx3ffyuCIAZPM1jl6ywDy2zw5PMB7AFW ueh6GcfmmLbRZ7ygDdM3ZcoiWMjXBTYYTZukugdxchkpY09zuPYTHBUrPZO2CXiz y1kclwmilJEsuVivLfT2FEPGnt94uYGGNPhxHlRUr8rJNrm4TluxcgEigQuRMFXU bJZKZfhnZYo2ujXgrq6MCpMdjoHdhDeK71yTdRYN2tyjoWKDa1FDzINE6lZC94nl SfprIUmMMnn8YfGtKUoznkvqCL7ueTk8P2w5onKQE0Tq2RoIvut5dQEKR0yxjf1u xYib/i5I/YBDo4V4tuZm0CFqWCerOEqzj+bYG+lCYstApRm8aNHf9CJz9DGVgJWm gVYCaiCcVTS6mW9BT0JKHpEaItY1VoeHEAyoeaEwUUoEWhnwG7V3+JU+3Qz6D9gt P7cPSzdKrkGojzGQbypNAuYXZ+1R1kgCodiKJ9jQCWPUF/alq1CwaFa22QSjf3rz SSx5GMd5PFSpn11r+vN0/rfIrhD6j4muoNbJsVVXC7UqgaSn7OHUuqm+oCSd8dEJ EmZkNfYfc+EL4tqkXfHq =AESy -----END PGP SIGNATURE----- --vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f53d3a86-4904-dd3f-2829-ac82fb4d9377>